Cyber security: The art of the hack

Also on KPMG.com

The only way to know your system is secure is to ask a penetration tester to find the weak points. We asked KPMG’s Mathew Ettelaie, Penetration Tester of the Year at the Cyber Security Awards 2016, how he breaks into some of the world’s biggest networks.

What do you do?

I emulate the hackers. I use the same tools, techniques and processes that criminals or nation states might do. The aim is to help organisations understand their weaknesses and then improve their security.

Who do you hack?

Literally anyone: from FTSE 100 companies all the way through to SMEs. We also work with the government on national security issues. It’s truly cross-sector.

How serious is getting hacked?

It can be very serious. We penetration test utility firms, and a hack against a key process control system could have disastrous consequences. Imagine a dam failing or a hacker tampering with our water supplies. Of course, we also test bank security, and in one case found a way to get £10,000 out of an ATM, while only being debited for £10. We reported it, it got fixed.

How do you get in?

We have a top ten list of issues to run through. If they don’t work we scratch heads, have a cup of tea and consider what else it could be. A lot of it is a technical exploit: someone has forgotten to update the security software on a computer, for example.

Or sometimes there is a human dimension. For example, we might try to get someone with high access privileges – IT support, for example – to log in using our laptop. If they don’t remember to restart the computer afterwards you can get hold of their username and password with key-logging software.

For the average business, ransomware is a big problem. You only need one employee to open a malicious attachment and you are in trouble. Ransomware can be bought on the Dark Web. It’s ‘crime-as-a-service’.

The business model is interesting. When you pay the ransom they actually want you to get your files back. They need you to. If you went around saying you paid and got nothing the business model would be destroyed.

The Internet of Things is reputed to have bad security. Is this true?

Yes, it’s terrible. I have seen a case where an attacker could have accessed a large company’s entire system via a smart TV. They could get into the CEO’s email, access the finance system and even make changes to manufacturing processes.

There’s no telling the damage that a hacker could have inflicted, but instead I was able to help the company understand their weaknesses and improve security.

How do penetration testers get into the industry?

There are two main routes, academic and non-academic. I did computer science at Warwick. Then became fed up with computers and became a roadie. I had a moment of enlightenment and realised it wasn’t a career: I couldn’t be doing sound checks at 50! So I did a Masters in information security. A lot of our team had unusual routes into the profession. One of our best testers has a degree in music; another studied economics.

Penetration testing qualifications are set by CREST, the industry body. You start at the bottom and work to the top until you have all the qualifications.

Disaster strikes! What can KPMG do to help?

Our team is split into two. There are the penetration testers like me. And the other is our instant response team. When there is a breach they go in and kick out the hackers. Then clean up and do a breach assessment.

Is there a 100 per cent reliable software solution?

Most of the technologies on sale can hinder a hacker. But some products are sold like witchcraft. They say they will defeat the hackers. There is no one-stop solution.

What’s the best way to spend budget to boost security?

Staff members need to understand that they have a role to play. If one person sets a weak password like Password123 it will be cracked by brute force. Just because you work in accounts, and are nowhere near the board, don’t think you don’t matter.